FOR

Odyssey, developed by Funk Software of Cambridge, Massachusetts, is designed to be a complete end-to-end 802.lx security solution that addresses the well-known security concerns posed by the popular wireless LAN (WLAN) and its flawed wireless equivalent privacy (WEP) protocol. Odyssey includes client and server software to support the standard 802.lx security method EAP-TLS (extensible authentication protocol - transport layer security) included in Windows XP, and introduces support for the equally strong and more easily managed security protocol, EAP-TTLS.

The disadvantage of EAP-TLS security is that it requires each user to have a certificate. This imposes a substantial administrative burden in operating a certificate authority to distribute, revoke and manage user certificates. Also, problems arise with EAP-TLS for the many people that use more than one PC. Such users have a choice of transferring a single personal certificate and private key to each of their machines, or acquiring separate certificates for each machine that they operate. These certificate-management issues affect both the user and administrator.

EAP-TTLS and EAP-TLS are similar in that both use transport layer security, the successor to SSL, as the underlying strong cryptography. However, EAP-TTLS differs in that only the RADIUS servers, not the users, are required to have certificates. The user is authenticated to the network using ordinary username and password credentials, which are made proof against interception by enclosing them in the TLS security wrapper.

The way EAP-TTLS works is comparable to that of secure web sites, such as those that handle online credit card transactions. The web server proves its authenticity to the user by providing its certificate. Then, the user encrypts credit card information and sends it to the server. Online commerce does not require user certificates for maximum security, and neither should wireless LAN access. EAP-TTLS makes this possible. EAP-TTLS is an IETF draft standard jointly authored by Funk Software and Certicom, and is a working document of the PPP Extensions group. The full text of the IETF draft EAP-TTLS protocol (“EAP Tunneled TLS Authentication Protocol”) can be found at http://search.ietf.org/.

With EAP-TTLS, the user’s identity and password-based credentials are tunneled during authentication negotiation, and are therefore not observable in the communications channel. This prevents dictionary attacks, man-in-the-middle attacks, and hijacked connections by wireless eavesdroppers. Dynamic per-session keys are generated to encrypt the wireless connection and protect data privacy. Odyssey can be configured to re-authenticate and thus re-key at any interval; frequent re-keying thwarts known attacks against the encryption method (WEP) commonly used in 802.11 WLANs.

Odyssey offers enhanced manageability and ease of deployment as important benefits arising because of its use of EAP-TTLS, since network managers can set up security based only on server-side certificates - rather than having to use both client- and server-side certificates. This approach still provides extremely strong security but reduces the administrative burden dramatically.

Odyssey is itself a RADIUS server and a wireless access point becomes a RADIUS client. When EAP-TTLS is used, WLAN users can be authenticated against an enterprise’s Windows authentication database, without danger of dictionary attack or other intrusion techniques. This enables network administrators to deploy WLAN access using the security infrastructure they have already set up, and allows WLAN users to connect using the credentials they are accustomed to using, from any PC.

Installation of Odyssey Server is easy using the supplied CD-ROM, but it also permits a network administrator to pre-configure WLAN client settings and create a custom installation image for easy deployment of the Odyssey client to WLAN users.

Odyssey Server runs on Windows XP or 2000. The Odyssey client runs on Windows XP/2000/98/Me, and supports all wireless adapter cards that implement the standard set of NDIS 802.11 WLAN object identifiers (OIDs), so its deployment is not limited by hardware compatibility. Odyssey interoperates with a wide variety of 802.lx WLAN access points, including those from Agere, Cisco and Enterasys. Odyssey supports multiple EAP authentication types including EAP-TTLS and EAP-TLS. Within EAP-TTLS, Odyssey supports tunneled authentication types of PAP, MS-CHAP and MS-CHAPV2. Odyssey Server also supports EAP-Cisco Wireless (LEAP) for use with Cisco clients.

Prior to the adoption of the 802.1x protocol, many organizations deployed remote-access VPNs as overlay solutions for secure WLAN access to overcome the known security weaknesses that arise from the use of static WEP keys. But remote-access VPNs were designed for slow remote-access connections and are not optimized for the higher throughput environment of a WLAN.

Compared to VPN-based WLAN security solutions, 802.1x together with EAP-TLS or EAP-TTLS offers equivalent security but with the client-side encryption performed in the WLAN hardware instead of in software running on the client. This offers significant advantages, particularly with regard to server scalability and in the case of palmtop computers, which may lack the processing power and battery capacity for the VPN overhead. Today, many 802.1x implementations are vendor-specific and lock you into one vendor’s access points and WLAN cards. Odyssey delivers 802.1x security, but with complete vendor independence, simpler administration and greater scalability than either vendor-specific 802.1x implementations or remote-access VPNs.

Note, however, that 802.1x itself does not fix WEP. 802.1x is about authentication and key distribution - it makes no provisions or recommendations for an improved method of ensuring data privacy. In fact, WEP keys still form the basis of WLAN connection encryption. However, most of the EAP authentication types that are possible over 802.1x eliminate the security problems introduced by the use of static WEP keys.

Odyssey Server is a RADIUS server that is specialized in managing connections from WLAN clients, and provides security information to the WLAN access point so it can set up a secure private connection over the wireless link. Odyssey is an 802.1x WLAN security solution that can be easily and widely deployed on an enterprise network. Not only does it provide strong security, it is also easily managed. When a WLAN user connects using EAP-TTLS or EAP-TLS, protection of both the authentication and subsequent data connection is provided. By implementing EAP-TTLS, which is the equal of EAP-TLS in security, Odyssey offers a WLAN security infrastructure that can easily be utilized by a single user from any machine and that is compatible with existing authentication databases.
   

SC On-Line
SC Magazine
www.scmagazine.com